This check looks for ways that Django SQL Injection protection is being bypassed in the extra()
query set function, by using quoted parameters.
This check will inspect any string literal within the keyword-arguments:
- "where", "select", "tables", "order_by", "params"
In this example, the value of the othercol is vulnerable to SQL injection:
qs.extra(
select={'val': "select col from sometable where othercol = '%s'"},
select_params=(someparam,),
)
This would also apply to the where argument:
MyDataModel.objects.extra(where=['headline="%s"'], params=['Lennon'])
Remove the quotations from the string values:
MyDataModel.objects.extra(where=['headline=%s'], params=['Lennon'])